Skip to main content

List Incidents

Gets a list of incident objects that Microsoft Defender XDR (formerly known as 365 Defender) created to track attacks in an organization.

  • Least privileged Microsoft Graph permission to access the action via application: SSecurityIncident.Read.All*.
  • Higher privileged Microsoft Graph permission to access the action via OAuth: SecurityIncident.ReadWrite.All.
External Documentation

To learn more, visit the Microsoft Defender XDR documentation.

Parameters

ParameterDescription
CountThe $count query parameter is used to retrieve the count of the total number of items in a collection or matching an expression. For more information on using $count, refer to Microsoft Query Parameters Documentation.
ExpandThe $expand query string parameter is used to include the expanded resource or collection (like alerts) referenced by a single relationship (navigation property) in your results. For more information on using $expand, refer to Microsoft Query Parameters Documentation.
FilterThe $filter query parameter is used to retrieve a subset of a collection. For more information on using $filter, refer to Microsoft Query Parameters Documentation.

The following properties are supported:
assignedTo
 classification
determination
 createdDateTime
lastUpdateDateTime
 severity
* status
SkipThe $skip query parameter is used to set the number of items to skip at the start of a collection. For more information on using $skip, refer to Microsoft Query Parameters Documentation.
TopThe $top query parameter is used to specify the number of items to be included in the result. For more information on using $top, refer to Microsoft Query Parameters Documentation.

Example Output

{
    "value": [
        {
            "@odata.type": "#microsoft.graph.security.incident",
            "id": "2972395",
            "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
            "redirectIncidentId": null,
            "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
            "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
            "createdDateTime": "2021-08-13T08:43:35.5533333Z",
            "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
            "assignedTo": "KaiC@contoso.com",
            "classification": "TruePositive",
            "determination": "MultiStagedAttack",
            "status": "Active",
            "severity": "Medium",
            "customTags": [
                "Demo"
            ],
            "comments": [
                {
                    "comment": "Demo incident",
                    "createdBy": "DavidS@contoso.com",
                    "createdTime": "2021-09-30T12:07:37.2756993Z"
                }
            ],
            "systemTags": [
                "Defender Experts"
            ],
            "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
            "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
        }
    ]
}

Workflow Library Example

List Incidents with Microsoft Defender Xdr and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop